kadmind

形式

機能説明

kadmind runs on the master key distribution center (KDC), which stores the
principal and policy databases. kadmind accepts remote requests to administer the information
in these databases. Remote requests are sent, for example, by kpasswd(1), gkadmin(1M),
and kadmin(1M) commands, all of which are clients of kadmind. When you
install a KDC, kadmind is set up in the init scripts to
start automatically when the KDC is rebooted.

kadmind requires a number of configuration files to be set up for
it to work:

/etc/krb5/kdc.conf

The KDC configuration file contains configuration information for the KDC and the Kerberos administration system. kadmind understands a number of configuration variables (called relations) in this file, some of which are mandatory and some of which are optional. In particular, kadmind uses the acl_file, dict_file, admin_keytab, and kadmind_port relations in the [realms] section. Refer to the kdc.conf(4) man page for information regarding the format of the KDC configuration file.

/etc/krb5/kadm5.keytab

kadmind requires a keytab (key table) containing correct entries for the kadmin/fqdn, kadmin/changepw and kadmin/changepw principals for every realm that kadmind answers requests. The keytab can be created with the kadmin(1M) or kdb5_util(1M) command. The location of the keytab is determined by the admin_keytab relation in the kdc.conf(4) file.

/etc/krb5/kadm5.acl

kadmind uses an ACL (access control list) to determine which principals are allowed to perform Kerberos administration actions. The path of the ACL file is determined by the acl_file relation in the kdc.conf file. See kdc.conf(4). For information regarding the format of the ACL file, refer to kadm5.acl(4).

The kadmind daemon will need to be restarted to reread the kadm5.acl file after it has been modified. You can do this, as root, with the following command:

# svcadm restart svc:/network/security/kadmin:default

After kadmind begins running, it puts itself in the background and disassociates
itself from its controlling terminal.

kadmind can be configured for incremental database propagation. Incremental propagation allows slave
KDC servers to receive principal and policy updates incrementally instead of receiving
full dumps of the database. These settings can be changed in the
kdc.conf(4) file:

sunw_dbprop_enable = [true | false]

Enable or disable incremental database propagation. Default is false.

sunw_dbprop_master_ulogsize = N

Specifies the maximum amount of log entries available for incremental propagation to the slave KDC servers. The maximum value that this can be is 2500 entries. Default value is 1000 entries.

The kiprop/<hostname>@<REALM> principal must exist in the master's kadm5.keytab file to enable
the slave to authenticate incremental propagation from the master. In the principal syntax
above, <hostname> is the master KDC's host name and <REALM> is the
realm in which the master KDC resides.

Kerberos client machines can automatically migrate Unix users to the default Kerberos
realm specified in the local krb5.conf(4), if the user does not have a
valid kerberos account already. You achieve this by using the pam_krb5_migrate(5) service
module for the service in question. The Kerberos service principal used by the
client machine attempting the migration needs to be validated using the u
privilege in kadm5.acl(4). When using the u privilege, kadmind validates user passwords
using PAM, specifically using a PAM_SERVICE name of k5migrate by calling pam_authenticate(3PAM)
and pam_acct_mgmt(3PAM).

オプション

The following options are supported:

-nofork

Specifies that kadmind does not put itself in the background and does not disassociate itself from the terminal. In normal operation, you should use the default behavior, which is to allow the daemon to put itself in the background.

-m

Specifies that the master database password should be retrieved from the keyboard rather than from the stash file. When using -m, the kadmind daemon receives the password prior to putting itself in the background. If used in combination with the -d option, you must explicitly place the daemon in the background.

-portport-number

Specifies the port on which the kadmind daemon listens for connections. The default is controlled by the kadmind_port relation in the kdc.conf(4) file.

-Ppid_file

Specifies the file to which the PID of kadmind process should be written to after it starts up. This can be used to identify whether kadmind is still running and to allow init scripts to stop the correct process.

-rrealm

Specifies the default realm that kadmind serves. If realm is not specified, the default realm of the host is used. kadmind answers requests for any realm that exists in the local KDC database and for which the appropriate principals are in its keytab.

-xdb_args

Pass database-specific arguments to kadmind. Supported arguments are for LDAP and the Berkeley-db2 plug-in. These arguments are:

注意事項

The Kerberos administration daemon (kadmind) is now compliant with the change-password standard
mentioned in RFC 3244, which means it can now handle change-password requests
from non-Solaris Kerberos clients.

The kadmind service is managed by the service management facility, smf(5), under
the service identifier:

svc:/network/security/kadmin

Administrative actions on this service, such as enabling, disabling, or requesting restart,
can be performed using svcadm(1M). The service's status can be queried using the
svcs(1) command.

The -d and -p arguments are made obsolete with the -nofork and
-port arguments, respectively. The -d and -p arguments might be removed in
a future release of the Solaris operating system.